Revisiting Address Space Randomization - Information Security and Cryptology-ICISC 2010 - page 217

Cryptography Reference

In-Depth Information

Table 3. Useful gadgets by combining instructions

Operations

Useful gadgets

<register writing>

<or (%eax), %ebx; ret;>

Memory reading

Addition

loop: <inc %eax; ret;>

<mov $const, %eax; ret;>

<lea ($const), %eax; ret;>

<addition>

Register writing

make our analysis more complicated, taking them into consideration helps us

find more useful gadgets. For example, in searching for gadgets to pop data

from the stack to a register, we only managed to find

and

<pop eax; ret;>

directly from

. After analyzing instructions

<pop ecx; ret;>

apache-2.2.15

with some side-effects, we managed to find

and

<pop ebx; pop ebp; ret;>

<pop edx; push eax; std; dec ecx; ret;>

with one and three instructions

with side-effects in the middle, respectively.

4.3 Attacks on Apache and Other Programs

With the techniques discussed in Section 4.2, we search the binary code of

apache-2.2.15

and other programs to see if gadgets needed could be found

using the Galileo algorithm [14]. The number of gadgets found for different op-

erations are presented in Table 4.

Table 4. Number of gadgets found

Programs

Memory reading Addition Register writing

apache-2.2.15 (695 KB)

2

7

34

vsftpd-2.2.2 (116 KB)

1

3

47

bind-9.7.0 (486 KB)

3

1

17

sendmail-8.14.3 (806 KB)

1

4

14

mplayer-1.0~rc3 (4 MB)

5

19

117

firefox-3.6.3 (50 KB)

0

1

13

Table 4 shows that we manage find the needed gadgets from

apache

,

vsftpd

,

1 ,

bind

,

sendmail

,and

mplayer

, while relatively small programs, e.g.,

firefox

may not provide enough useful gadgets.

To try out our attack on apache-2.2.15 on a real system, we downloaded the

address space randomization proposed by Bhatkar et al. and migrated the code

to a PAX-enabled Ubuntu 10.04 desktop computer. We configure the system

such that base address of the library, order of library functions, PLT and GOT

are randomized. We then use

on the

stack with our attack code. The attack successfully creates a shell for arbitrary

computation. Appendix A shows the shell code that we use in this attack. Since

to overflow a buffer of

gdb

apache-2.2.15

1 Firefox is a large program, but its binary file, /usr/lib/firefox-3.6.3/firefox-bin (under

Ubuntu-10.04), is only of 50 KB as most functionality is provided in libraries.

Next Page

Information Security and Cryptology-ICISC 2010

Search WWH ::

Custom Search

Home